Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

access:pre-auth — CVE vulnerabilities tagged 20998

20998 CVE security advisories tagged "access:pre-auth" with AI Chinese analysis, CVSS, references and POCs.

The tag "access:pre-auth" identifies vulnerabilities that allow unauthenticated attackers to gain unauthorized access to a system, application, or network resource before legitimate credentials are verified. This classification is critical because it represents the lowest barrier to entry for exploitation, enabling remote code execution, data exfiltration, or full system compromise without prior authentication. Typical scenarios involve flaws in authentication mechanisms, such as broken access controls, insecure direct object references, or logic errors in session management that bypass login requirements. Attackers frequently target these weaknesses via exposed APIs, administrative interfaces, or default configurations. Because no user interaction or valid credentials are needed, pre-authentication flaws are among the most severe and widely exploited security issues, often leading to immediate breach of confidentiality, integrity, and availability across affected infrastructure.

CVE IDTitleCVSSSeverityPublished
CVE-2026-0490 Denial of service (DOS) in SAP BusinessObjects BI Platform — SAP BusinessObjects BI PlatformCWE-862 7.5 High2026-02-10
CVE-2026-0485 Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform — SAP BusinessObjects BI PlatformCWE-405 7.5 High2026-02-10
CVE-2026-25895 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API — FUXACWE-22 7.5AIHighAI2026-02-09
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration — FUXACWE-321 9.8AICriticalAI2026-02-09
CVE-2026-25893 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting — FUXACWE-285 9.8AICriticalAI2026-02-09
CVE-2026-25939 FUXA Unauthenticated Remote Arbitrary Scheduler Write — FUXACWE-862 9.3AICriticalAI2026-02-09
CVE-2026-25938 FUXA Unauthenticated Remote Code Execution in Node-RED Integration — FUXACWE-290 9.8AICriticalAI2026-02-09
CVE-2026-25885 PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats — PolarLearnCWE-285 6.5AIMediumAI2026-02-09
CVE-2026-25878 FroshAdminer Adminer UI is accessible without admin session — FroshPlatformAdminerCWE-306 9.4AICriticalAI2026-02-09
CVE-2026-25791 Sliver has a DNS C2 OTP Bypass Allows Unauthenticated Session Flooding and Denial of Service — sliverCWE-306 7.5 High2026-02-09
CVE-2026-25480 FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) — litestarCWE-176 6.5 Medium2026-02-09
CVE-2026-25231 FileRise affected by an Unauthenticated File Read Due to Insufficient Access Control — FileRiseCWE-284 7.5 High2026-02-09
CVE-2026-22906 Hardcoded Key Allows Credential Disclosure — 0852-1322CWE-321 9.8 Critical2026-02-09
CVE-2026-22905 Authentication Bypass via URI Traversal — 0852-1322CWE-22 7.5 High2026-02-09
CVE-2026-22904 Stack Overflow via Oversized Cookie Fields in lighttpd — 0852-1322CWE-121 9.8 Critical2026-02-09
CVE-2026-22903 Stack Overflow via SESSIONID Cookie in lighttpd — 0852-1322CWE-121 9.8 Critical2026-02-09
CVE-2026-2236 HGiga|C&Cm@il - SQL Injection — C&Cm@il package olln-baseCWE-89 7.5 High2026-02-09
CVE-2026-2234 HGiga|C&Cm@il - Missing Authentication — C&Cm@il package olln-baseCWE-306 9.1 Critical2026-02-09
CVE-2026-2216 rachelos WeRSS we-mp-rss tools.py download_export_file path traversal — WeRSS we-mp-rssCWE-22 4.3 Medium2026-02-09
CVE-2026-2190 itsourcecode School Management System controller.php sql injection — School Management SystemCWE-89 7.3 High2026-02-08
CVE-2026-2163 D-Link DIR-600 ssdp.cgi command injection — DIR-600CWE-77 4.7 Medium2026-02-08
CVE-2026-2138 Tenda TX9 SetStaticRouteCfg sub_42D03C buffer overflow — TX9CWE-120 8.8 High2026-02-08
CVE-2026-2137 Tenda TX3 SetIpMacBind buffer overflow — TX3CWE-120 8.8 High2026-02-08
CVE-2026-2136 projectworlds Online Food Ordering System view-ticket.php sql injection — Online Food Ordering SystemCWE-89 7.3 High2026-02-08
CVE-2025-15027 JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user — JAY Login & RegisterCWE-269 9.8 Critical2026-02-08
CVE-2026-25858 macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure — mallCWE-640 9.1 Critical2026-02-07
CVE-2026-2080 UTT HiPER 810 formUser setSysAdm command injection — HiPER 810CWE-77 7.2 High2026-02-07
CVE-2026-1082 TITLE ANIMATOR <= 1.0 - Cross-Site Request Forgery to Settings Update — TITLE ANIMATORCWE-352 4.3 Medium2026-02-07
CVE-2026-1634 Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] — Subitem AL SliderCWE-79 6.1 Medium2026-02-07
CVE-2026-1675 Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secret Key — Advanced Country BlockerCWE-1188 5.3 Medium2026-02-07

Vulnerabilities classified as access:pre-auth represent 20998 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.